TECHNOLOGY STARTUPS AND DATA PROTECTION: AN EXAMINATION OF THE REGULATORY AND LEGAL FRAMEWORK OF DATA PRIVACY IN NIGERIA

Over the last two decades the world has witnessed tremendous advancement in technology. Technology continues to influence our daily activities. The improvement in that sector has also led to the increase in the establishment of technology startups that eventually scale to larger businesses. From commute to communication we resort to a device or service to make our lives easier.
What then is a technology startup? Techopedia defines startup as “a company in the early stages of business development.”  Therefore by extension, a technology startup is a startup whose main focus is on innovation and providing technology-based products or services. Startups are designed with the aim of solving a particular problem or servicing a particular need. 
The prevalent use of technology also led to an increase in the amount of data being shared. Personal details such as our names, email addresses, telephone numbers, credit/debit card details, etc. are processed and stored in servers. Oftentimes technology startups require such data to offer better services to their customers. This gives rise to issues such as the appropriate use of data and its protection from unauthorized third-party interference. 
The recent Facebook – Cambridge Analytica scandal, which involved the harvesting of data of millions of Facebook users without their prior consent by Cambridge Analytica, has brought about an increased concern for how one’s personal data is used. In the same vein, data and identity theft have given users of technology reason to be concerned with the protection of their data. Concerns for privacy of information can lead to users resorting to “self-censorship” as a means of protecting themselves. 
The above give rise to the question of what data privacy regulations technology startups in Nigeria are required to comply with while carrying out their drive for innovation.
In spite of the widespread adoption of technology in the country, the data privacy regime in Nigeria is still evolving and thus far has been unable to match the dynamic nature of the technology industry. 
Unfortunately, there is no specific data protection legislation as is obtainable in other jurisdictions such as the United Kingdom that has the Data Protection Act 2018. 
The protection of data in Nigeria begins with Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended) which provides for the right to privacy. It states as follows:
“The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.”
Section 37 of the Constitution appears to provide a broad protection of privacy in Nigeria, however given the currently level of improvement in technology, it can be argued that this provision would not be sufficient. Improper handling of personal data exposes the individuals concerned to immense harm. For example, in April 2018 Facebook disclosed that over 271,000 Nigerians were exposed to the Cambridge Analytica data breach.  However, given the lack of data protection legislation in Nigeria it would be a difficult task for authorities in Nigeria to demand an explanation for these breaches. 
Therefore there is need for there to be legislation that specifically protects data privacy in Nigeria. The presence of data protection legislation can go a long way in protecting the fundamental right to privacy that Section 37 of the Constitution provides. 
NITDA Guidelines
The National Information Technology Development Agency (NITDA) is an institution that was established by the National Information Technology Development Agency Act 2007 (NITDA Act). NITDA is an agency that responsible for the development and regulation of information technology in Nigeria. One of the means through which the agency does this is by developing guidelines as demonstrated by Section 6(b)-(e) of the NITDA Act 2007. It states:
“6. The Agency shall:
(b) Provide guidelines to facilitate the establishment and maintenance of appropriate (sic) for information technology and systems application and development in Nigeria for public and private sectors, urban-rural development, the economy and the government.
(c) Develop guidelines for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions as an alternative to paper-based methods in government, commerce, education, the private and public sectors, labour, and other fields, where the use of electronic communication may improve the exchange of data and information.
(d) Develop guidelines for the networking of public and private sector establishment.
(e) Develop guidelines for the standardization and certification of Information Technology Escrow Source Code and Object Code Domiciliation, Application and Delivery Systems in Nigeria.”
In line with its functions, NITDA developed the National Information Technology Development Agency Guidelines on Data Protection (NITDA Guidelines). Although these guidelines are currently being revised, they give a good idea about what technology startups embarking on business in Nigeria should consider when handling personal data. These guidelines apply to all persons who are based in Nigeria and also to persons who are based outside Nigeria if they are involved in the processing of personal data of Nigerians and persons resident in Nigeria.
A data controller can be defined as any person or body that decides the purposes and means of processing personal data. This function can be done alone or jointly with others. Therefore in relation to personal data, a technology startup oftentimes positions itself as a data controller. 
Under the NITDA Guidelines, data controllers have the duty to inform persons about the reasons why their data is being collected and the purpose for collecting personal information must be lawful and reasonable. The notice containing the purpose for the collection of data should be clear. 
Usually the purpose for which the data is being collected is stated in a privacy policy published by the data controller. The privacy policy provides detailed information such as the type of personal information to be collected, how such information will be used, and confidentiality rights. The consent of the person in question must first be obtained before the data controller can collect any information on them. The privacy policy also makes provision for what constitutes consent. 
However, data controllers should not be at liberty to collect all information on a person. By virtue of the guidelines, a data controller shall collect only the data that is needed. Thus a technology startup should collect only the information that would enable them to provide functional products and services to consumers.
In the event that data has to be sent outside Nigeria, the following criteria need to be satisfied:
1. There should be data protection guidelines or legislations in the country that is receiving the data.
2. The transfer of data should form part of a contract that contains terms as to data protection between the data controller and the receiving party.
3. The consent of the owner of the data must have been sought and obtained.
The GDPR and Its Significance for Nigerian Technology Startups
Earlier in the year the General Data Protection Regulation (GDPR) came into effect to protect European Union citizens (EU Citizens) from breaches to data privacy. The GDPR applies to data controllers who process data of those residing within the European Union, irrespective of whether these data controllers are within the European Union or not. By virtue of this increased territorial applicability, Nigerian technology startups that intend to handle the data of EU citizens must take note of this important regulation and ensure that they comply with its provisions.
Conclusion
The aim of this article was to highlight data privacy regulations Nigerian technology startups should consider before embarking on business activities. Technology presents itself as a promising means through which business and development can be fostered. In the 21st century, data has become an important commodity that must be protected given the increased security concerns that accompany the sharing of such data. On account of this, efforts must be made to develop proper data protection legislation in Nigeria and ensure a stricter enforcement of the NITDA Guidelines. The technology industry is a dynamic one and as such the law has to be ready to match up with its dynamic nature to facilitate efforts at maintaining freedom and protection for Nigerians and residents in Nigeria.

References
1. “What is a Startup?” – Techopedia Accessed on December 7, 2018.


2.  Beck, Julie “People Are Changing the Way They Use Social Media” < http://www.theatlantic.com/amp/article/562154/ > Accessed on December 7, 2018


3. Anuforo, Chinenye “Over 271,000 Nigerians affected by Facebook data breach” < https://sunnewsonline.com/over-271000-nigerians-affected-by-facebook-data-breach/ > Accessed on December 12, 2018

4. Aderibigbe, Ngozi “Nigeria Has A Data Protection Regime” Accessed on December 4, 2018.

Judy-Vallery Imasuen is a legal officer at the Committee for the Defence of Human Rights who has an interest in Alternative Dispute Resolution, intellectual property law, corporate law and information technology.